Public facing DNS server

[supertight]

I'm attempting to configure my LAMP stack and take my student lab live.
I need my DNS to accept public requests from the DNS @ 1and1.com so I can resolve my multiple domain names to the proper zone.

My DNS server works locally. No problem.
routers are set to forward port 53 to the proper addresses(tools.pingdom.com url test shows the correct internal IP for my DNS server.)
I have the firewall & SElinux disabled for testing.(will enable after trouble shooting.)
I have /etc/named.conf looking like:

Code: Select all

 allow-query {0.0.0.0;}; 
 recursion no;

Thanks for any ideas!

[aks]

allow-query {0.0.0.0;};

Okay so anything that can get to your DNS server can ask questions of your DNS server (usually not a good idea, but there you go).

So have you configured any forwarders?

[supertight]

allow-query {0.0.0.0;};

Okay so anything that can get to your DNS server can ask questions of your DNS server (usually not a good idea, but there you go).

So have you configured any forwarders?

1.) I'm sorry. I'm confused. Just to clarify. I don't want "allow-query {0.0.0.0}" ? Isn't that required for a public facing DNS server?
Again. Just to clarify. I was under the impression, It needs to accept name requests from anyone to resolve the FQDN to the proper internal IP address of the server hosting http\https.

If 0.0.0.0 is no good. What should I use to keep security tight? should I place DNS behind a proxy? or??

2.) I do believe I have configured forwarders.
Main Config - cat /etc/named.conf

Code: Select all

[root@svr1 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1;192.168.1.11;};
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
                statistics-file "/var/named/data/named_stats.txt";
                memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     {0.0.0.0;};
#       allow-transfer { Server IP }

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "nbseven.info" IN {
        type master;
        file "fwd.nbseven.info.db";
        allow-update { none; };
};

 zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "1.168.192.db";
        allow-update {none; };
};



include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Forward - cat /var/named/fwd.nbseven.info.

Code: Select all

[root@svr1 ~]# cat /var/named/fwd.nbseven.info.db
$TTL 86400
@ IN SOA primary.nbseven.info. root.nbseven.info. (
2016042112 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
43200 ;Minimum TTL
)
;Name Server Information
@ IN NS svr1.nbseven.info.
;IP address of Name Server
primary IN A 192.168.1.11
;Mail exchanger
nbseven.info. IN MX 10 primary.nbseven.info.
;A - Record HostName To Ip Address
mail    IN A 192.168.1.14
www     IN A 192.168.1.14
svr1    IN A 192.168.1.11
svr2    IN A 192.168.10.3
client3 IN A 192.168.10.56
svr4    IN A 192.168.1.14
svr5    IN A 192.168.1.15
;CNAME record
ftp IN CNAME www.nbseven.info.

Reverse - cat /var/named/1.168.192.db

Code: Select all

 [root@svr1 ~]# cat /var/named/1.168.192.db
$TTL 86400
@ IN SOA primary.nbseven.info. root.nbseven.info. (
2014112511 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS primary.nbseven.info.
;Reverse lookup for Name Server
8 IN PTR primary.nbseven.info.
;PTR Record IP address to HostName
100 IN PTR www.nbseven.info.
150 IN PTR mail.nbseven.info.

Thanks for reading!

[mghe]

You should do this:

options {
..
allow-query { localhost; };
...
}

zone xxxx IN {
...
allow-query { any; };
...
};

[supertight]

You should do this:

options {
..
allow-query { localhost; };
...
}

zone xxxx IN {
...
allow-query { any; };
...
};

AH HA! I see what you have done there. The request can originate from anywhere, given the request is for the proper zone.
Nice. I will do this and report back.

[supertight]

Alright, Here is where I went. Instead of changing my current DNS setup to allow for web traffic to different zones.
I've decided to run Bind9 on a second server. I've configured bind9 as Authoritative for the express purpose of resolving incoming HTTP/ HTTPS/ FTP/ names to the correct httpd/vsftpd host.

Bind9 is running and I have recursion restricted to the localhost and dig shows that It's working properly.

Code: Select all

dig google.com -t ANY @localhost

Returns satisfactory results.

I'm still having resolution problems to my local hosts.
DNS Server IP: 192.168.10.3
Domain name: http://www.nbseven.info --> 192.168.10.3
Domain name: http://www.josephmurphy.online --> 192.168.1.14
Domain name: ftp.sqeely.club --> 192.168.1.14

the /etc/named.conf file:

Code: Select all

[root@svr2 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "allowed-queries" {
        any;
};

acl "allowed-recursion" {
        127.0.0.1;
        ::1;
};

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query      { "allowed-queries"; };
        recursion yes;
        allow-recursion { "allowed-recursion"; };
        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/zones.conf";

the /etc/zones.conf:

Code: Select all

[root@svr2 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "allowed-queries" {
        any;
};

acl "allowed-recursion" {
        127.0.0.1;
        ::1;
};

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query      { "allowed-queries"; };
        recursion yes;
        allow-recursion { "allowed-recursion"; };
        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/zones.conf";
[root@svr2 ~]# cat /etc/zones.conf
zone "nbseven.info" in {
        type master;
        file "fwd-zones/nbseven.info.zone";
        allow-transfer { none; };
};

zone "josephmurphy.online" in {
        type master;
        file "fwd-zones/josephmurphy.online.zone";
        allow-transfer { none; };
};

zone "sqeely.club" in {
        type master;
        file "fwd-zones/sqeely.club.zone";
        allow-transfer { none; };
};

/var/named/fwd-zones/nbseven.info.zone

Code: Select all

[root@svr2 ~]# cat /var/named/fwd-zones/nbseven.info.zone
; zone file for nbseven.info

$TTL 14400
$ORIGIN nbseven.info.

@               IN      SOA svr2.nbseven.info. root.nbseven.info. (
                        2017051400
                        12h
                        15m
                        3w
                        3h
                        )

@               IN      NS      svr2.nbseven.info.
www             IN      A       127.0.0.1

/var/named/fwd-zones/josephmurphy.online.zone

Code: Select all

[root@svr2 ~]# cat /var/named/fwd-zones/josephmurphy.online.zone
; zone file for josephmurphy.online
$TTL 14400
$ORIGIN josephmurphy.online.

;; SOA Resource Record
@               IN      SOA svr2.nbseven.info. hostmaster.nbseven.info. (
                        2017051400
                        12h
                        15m
                        3w
                        3h
                        )


;; Name Servers
@       IN      NS      svr2.nbseven.info.
www     IN      A       192.168.1.14

/var/named/fwd-zones/sqeely.club.zone

Code: Select all

[root@svr2 ~]# cat /var/named/fwd-zones/sqeely.club.zone
; zone file for sqeely.club
$TTL 14400
$ORIGIN sqeely.club.

;; SOA Resource Record
@               IN      SOA svr2.nbseven.info. hostmaster.nbseven.info. (
                        2017051400
                        12h
                        15m
                        3w
                        3h
                        )


;; Name Servers
@               IN      NS      svr2.nbseven.info.
ftp             IN      A       192.168.1.14

I kept the whole thing very basic. Once I get the configuration working, I can add more function.
I know I'm close, but missing something small. What do you guys think?
thank for the help any input is appreciated.

[aks]

So now I have no idea what you are asking for.

If you want other (coming in from the internet) clients to query your DNS server for your domains(s) then you need to get that added to the global DNS namespace. The people you got your domain(s) from can usually help with that.

If you want other (coming in from the internet) clients that query the 1and1 DNS servers to use your DNS servers, then 1and1 needs to add that to their DNS server.

If you want your (i.e.: coming from your machines that you control) clients to query the 1and1 DNS (say, in order to get the public IP addresses rather than private Ip addresses), then you could just set-up a forwarding only server (and I do not see the keyword forwarders in the configs you've posted). So in this scenario, your machine will lookup it's set nameserver (say in /etc/resolv.conf) and gets your DNS server. It then sends the query to your DNS server. Your DNS server doesn't know the answer so it forwards the query to 1and1.
So your DNS queries are returning private IP addresses:

Domain name: http://www.nbseven.info --> 192.168.10.3
Domain name: http://www.josephmurphy.online --> 192.168.1.14
Domain name: ftp.sqeely.club --> 192.168.1.14

That will work internally, but not externally (they're private addresses). Do you want the "real" IP addresses returned? Can't you just put them in the DNS server (assuming you have a presence in the global DNS namespace)?

Here's some help with caching/forwarding DNS: https://www.digitalocean.com/community/ ... untu-14-04 (yes it's ubuntu but the principals remain the same).

Or do you just need a proxy configuration?

Or is it something else completely different?

Very confused now (probably not your fault, I'm easily confused).

[supertight]

So now I have no idea what you are asking for.

If you want other (coming in from the internet) clients to query your DNS server for your domains(s) then you need to get that added to the global DNS namespace. The people you got your domain(s) from can usually help with that.

If you want other (coming in from the internet) clients that query the 1and1 DNS servers to use your DNS servers, then 1and1 needs to add that to their DNS server.

If you want your (i.e.: coming from your machines that you control) clients to query the 1and1 DNS (say, in order to get the public IP addresses rather than private Ip addresses), then you could just set-up a forwarding only server (and I do not see the keyword forwarders in the configs you've posted). So in this scenario, your machine will lookup it's set nameserver (say in /etc/resolv.conf) and gets your DNS server. It then sends the query to your DNS server. Your DNS server doesn't know the answer so it forwards the query to 1and1.
So your DNS queries are returning private IP addresses:

Domain name: http://www.nbseven.info --> 192.168.10.3
Domain name: http://www.josephmurphy.online --> 192.168.1.14
Domain name: ftp.sqeely.club --> 192.168.1.14

That will work internally, but not externally (they're private addresses). Do you want the "real" IP addresses returned? Can't you just put them in the DNS server (assuming you have a presence in the global DNS namespace)?

Here's some help with caching/forwarding DNS: https://www.digitalocean.com/community/ ... untu-14-04 (yes it's ubuntu but the principals remain the same).

Or do you just need a proxy configuration?

Or is it something else completely different?

Very confused now (probably not your fault, I'm easily confused).

aks, Thank you for the reply. I'm sorry for the confusion. Please allow me to attempt a breakdown of the situation for clarification.

What I'm trying to do:
1) I should be able to supply 1and1.com with my Public IP Address & DNS hostname.
2) 1and1.com will now forward the DNS query to my Public IP Address on port 53.
3) My router will rout the traffic from port 53 on my Public IP Address via port forwarding to my DNS host's Private IP Address.
4) my DNS server will resolve the domain name to the appropriate Private IP Address.
5) my single Public IP Address can now host multiple domain names on multiple servers.

1and1.com DNS > my Public IP > port foward> Private IP to my DNS server > Name Resolution to the proper Private IP Address hosting the requested domain/content.

I hope this clarifies the situation. I'm sure you're confusion was my fault. I bet this isn't how you host multiple domains from one IP address.
I'm probably doing this all wrong.

Has this helped at all? Can you point me in the right direction?

[aks]

Hmmm, I don't think that'll work as the traffic from the web server will have a source of <private IP>, so the originator can't reply to the message(s).
I think what you want is a reverse proxy.

All traffic inbound hits the proxy and the proxy forwards the request (based on say the URL) to the responsible web server. The web server replies to the proxy and the proxy forwards that onto the client. As the proxy is Internet facing, the originator can simply reply to the proxy (who will forward the request to the web server as before).

Make sense?

How you go about that depends on what proxy you choose to use (many people use Nginx, Apache HTTPd, Apache Traffic Manager and so on - there are many to choose from).

[TrevorH]

DNS uses UDP and TCP port 53. Make that both are forwarded from your router to the inside machine.

Proxy? For DNS?